// Enable JWT authorization check on the HTTP handler function. func jwtWrap(originalHandler http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { addCommonJwtRespHeaders(w, r) t, _ := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return publicKey, nil }) if t == nil || !t.Valid { http.Error(w, "", http.StatusUnauthorized) return } else if t.Claims[JWT_USER_ATTR] == JWT_USER_ADMIN { originalHandler(w, r) return } var url = strings.TrimPrefix(r.URL.Path, "/") var col = r.FormValue("col") if !sliceContainsStr(t.Claims[JWT_ENDPOINTS_ATTR], url) { http.Error(w, "", http.StatusUnauthorized) return } else if col != "" && !sliceContainsStr(t.Claims[JWT_COLLECTIONS_ATTR], col) { http.Error(w, "", http.StatusUnauthorized) return } originalHandler(w, r) } }
func (this *JWTFilter) ServeHTTP(writer http.ResponseWriter, request *http.Request) { if this.excludedURLsMatcher.Match(request.URL.Path) { log.Debug("JWTFilter.ServeHTTP - Skipping JWT authentication, URL excluded: " + request.URL.Path) this.innerHandler.ServeHTTP(writer, request) return } authorisationHeader := request.Header.Get("Authorization") log.Debug("JWTFilter.ServeHTTP - Validating JWT token:" + authorisationHeader) if authorisationHeader == "" || len(authorisationHeader) <= 6 || strings.ToUpper(authorisationHeader[0:6]) != "BEARER" { log.Warn("JWTFilter.ServeHTTP - No valid authorization header found, block request") writer.WriteHeader(401) return } token, err := jwt.ParseFromRequest(request, func(token *jwt.Token) (interface{}, error) { return *this.publicKey, nil }) if err != nil { log.Error(err.Error()) writer.WriteHeader(500) return } if token.Valid { log.Debug("JWTFilter.ServeHTTP - Token is valid, setting context and continuing request") this.claimProvider.SetClaims(request, token) this.innerHandler.ServeHTTP(writer, request) } else { log.Warn("JWTFilter.ServeHTTP - invalid token") writer.WriteHeader(401) } }
func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request) (bool, *model.User) { var loggedUser *model.User = nil var result bool = false authBackend := InitJWTAuthenticationBackend() token, err := jwt.ParseFromRequest(req, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } else { return authBackend.PublicKey, nil } }) if err == nil && token.Valid && !authBackend.IsInBlacklist(req.Header.Get("Authorization")) { // 验证通过了,设置当前登陆用户 result = true account := util.ParseString(token.Claims["sub"]) loggedUser = model.GetByAccount(account) } else { rw.WriteHeader(http.StatusUnauthorized) } return result, loggedUser }
func (a *authMiddleware) RequireLogin() gin.HandlerFunc { return func(c *gin.Context) { token, err := jwt_lib.ParseFromRequest(c.Request, func(token *jwt_lib.Token) (interface{}, error) { b := ([]byte(config.GetSecret())) return b, nil }) if err != nil || token == nil || (token != nil && !token.Valid) { c.Error(apiErrors.ThrowError(apiErrors.AccessDenied)) c.Abort() return } var currentUser *models.User var findUserErr error if userId, ok := token.Claims["userId"].(string); ok { if currentUser, findUserErr = userResource.GetById(userId); findUserErr != nil { c.Error(findUserErr) c.Abort() return } } else { panic("Must load userId in token") } c.Set("currentUser", currentUser) c.Next() } }
func ValidateTokenAuthentication(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) { w.Header().Add("Access-Control-Allow-Origin", "*") authBackend, err := InitJwtAuthBackend() if err != nil { w.WriteHeader(http.StatusInternalServerError) } token, err := jwt.ParseFromRequest( req, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf( "Unexpected signing method: %v", token.Header["alg"], ) } else { return authBackend.PublicKey, nil } }, ) if err == nil && token.Valid && !authBackend.IsTerminated( req.Header.Get("Authorization")) { w.WriteHeader(http.StatusOK) } else { w.WriteHeader(http.StatusUnauthorized) } }
func (s *service) getAndValidateJwtTokenFromRequest(r *http.Request) *jwt.Token { token, err := jwt.ParseFromRequest(r, s.jwtKeyFuncGetBytes) switch errType := err.(type) { case *jwt.ValidationError: switch errType.Errors { case jwt.ValidationErrorExpired: panic(s.ErrorsService.CreateClientError(http.StatusUnauthorized, "Token expired")) default: s.Logger.Error("Unable to parse token: %s", err.Error()) panic(s.ErrorsService.CreateClientError(http.StatusUnauthorized, "[1442894612] Invalid token")) } case nil: //This validation must match up with the one above in call to `jwt.New(jwt.GetSigningMethod(` if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { panic(s.ErrorsService.CreateClientError(http.StatusUnauthorized, "[1442894613] Invalid token")) } //TODO: We are checking this IsInLoggedOutList even when called from the `BaseLogoutHandler` if !token.Valid || s.JwtHelperService.IsInLoggedOutList(token.Raw) { panic(s.ErrorsService.CreateClientError(http.StatusUnauthorized, "[1442894611] Invalid token")) } return token default: // something else went wrong if err == jwt.ErrNoTokenInRequest { panic(s.ErrorsService.CreateClientError(http.StatusUnauthorized, "[1442947885] Token missing")) } s.Logger.Error("Error casting token error type: %s", errType) panic(s.ErrorsService.CreateClientError(http.StatusInternalServerError, "[1442936515] Invalid token")) } }
func Auth(secret string) gin.HandlerFunc { return func(c *gin.Context) { auth := c.Request.Header.Get("Authorization") l := len(Bearer) if len(auth) > l+1 && auth[:l] == Bearer { token, err := jwt.ParseFromRequest(c.Request, func(token *jwt.Token) (interface{}, error) { b := ([]byte(secret)) return b, nil }) if err == nil && token.Valid { c.Set("claims", token.Claims) if exp, ok := token.Claims["exp"].(float64); ok { log.WithFields(log.Fields{ "UserName": token.Claims["name"], "Exp": (int64(exp) - time.Now().Unix()) / 60, }).Debug("User authorized") } else { log.Errorf("Incorrect claims, %v", token.Claims) } } else { c.AbortWithError(http.StatusUnauthorized, UnAuthError) } } else { // c.JSON(http.StatusUnauthorized, gin.H{"code": http.StatusUnauthorized, "msg": "Sorry, you are not authorized"}) c.AbortWithError(http.StatusUnauthorized, UnAuthError) } } }
// AuthRequest retunn FilterFunc func AuthRequest(o *Options) beego.FilterFunc { RSAKeys.PrivateKey, _ = ioutil.ReadFile(o.PrivateKeyPath) RSAKeys.PublicKey, _ = ioutil.ReadFile(o.PublicKeyPath) return func(ctx *context.Context) { // :TODO the url patterns should be considered here. // Shouldn't only use the string equal for _, method := range o.WhiteList { if method == ctx.Request.URL.Path { return } } parsedToken, err := goJwt.ParseFromRequest(ctx.Request, func(t *goJwt.Token) (interface{}, error) { return RSAKeys.PublicKey, nil }) if err == nil && parsedToken.Valid { ctx.Output.SetStatus(http.StatusOK) } else { ctx.Output.SetStatus(http.StatusUnauthorized) } } }
func RequireTokenAuthentication(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) { // Preflight handling if req.Method == "OPTIONS" { return } authBackend, err := InitJwtAuthBackend() if err != nil { w.WriteHeader(http.StatusInternalServerError) } token, err := jwt.ParseFromRequest( req, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf( "Unexpected signing method: %v", token.Header["alg"], ) } else { return authBackend.PublicKey, nil } }, ) if err == nil && token.Valid && !authBackend.IsTerminated(req.Header.Get("Authorization")) { next(w, req) } else { w.WriteHeader(http.StatusUnauthorized) } }
func Logout(req *http.Request, ab backends.Authentication, secret []byte, exp int) error { authBackend := InitJWTAuthenticationBackend(ab, secret, exp) tokenRequest, err := jwt.ParseFromRequest(req, func(token *jwt.Token) (interface{}, error) { return authBackend.SecretKey, nil }) if err != nil { return err } tokenString := req.Header.Get("Authorization") return authBackend.Logout(tokenString, tokenRequest) }
func AuthMiddleware(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return publicKey, nil }) if err == nil && token.Valid { next(w, r) } else { w.WriteHeader(http.StatusUnauthorized) fmt.Fprint(w, "GO HOME") } }
func Logout(req *http.Request) error { authBackend := authentication.InitJWTAuthenticationBackend() tokenRequest, err := jwt.ParseFromRequest(req, func(token *jwt.Token) (interface{}, error) { return authBackend.PublicKey, nil }) if err != nil { return err } tokenString := req.Header.Get("Authorization") return authBackend.Logout(tokenString, tokenRequest) }
func authMiddleware(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { // validate the token token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return verifyKey, nil }) if err == nil && token.Valid { next(w, r) } else { w.WriteHeader(http.StatusUnauthorized) fmt.Fprint(w, "Authentication failed") } }
func Auth(secret string) gin.HandlerFunc { return func(c *gin.Context) { _, err := jwt_lib.ParseFromRequest(c.Request, func(token *jwt_lib.Token) (interface{}, error) { b := ([]byte(secret)) return b, nil }) if err != nil { c.AbortWithError(401, err) } } }
// Middleware for validating JWT tokens func Authorize(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { // validate the token token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { // Verify the token with public key, which is the counter part of private key return verifyKey, nil }) if err != nil { switch err.(type) { case *jwt.ValidationError: // JWT validation error vErr := err.(*jwt.ValidationError) switch vErr.Errors { case jwt.ValidationErrorExpired: //JWT expired DisplayAppError( w, err, "Access Token is expired, get a new Token", 401, ) return default: DisplayAppError(w, err, "Error while parsing the Access Token!", 500, ) return } default: DisplayAppError(w, err, "Error while parsing Access Token!", 500) return } } if token.Valid { next(w, r) } else { DisplayAppError( w, err, "Invalid Access Token", 401, ) } }
// Verify user's JWT. func checkJWT(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/json") addCommonJwtRespHeaders(w, r) t, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return publicKey, nil }) if t == nil || !t.Valid { http.Error(w, fmt.Sprintf("{\"error\": \"%s %s\"}", "JWT not valid,", err), http.StatusUnauthorized) } else { w.WriteHeader(http.StatusOK) } }
// isAuthenticated validates if any incoming request to be a valid JWT // authenticated request. func isAuthenticated(req *http.Request) bool { jwt := InitJWT() tokenRequest, err := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) { if _, ok := token.Method.(*jwtgo.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } return jwt.PublicKey, nil }) if err != nil { return false } return tokenRequest.Valid }
// isJWTReqAuthenticated validates if any incoming request to be a // valid JWT authenticated request. func isJWTReqAuthenticated(req *http.Request) bool { jwt := initJWT() token, e := jwtgo.ParseFromRequest(req, func(token *jwtgo.Token) (interface{}, error) { if _, ok := token.Method.(*jwtgo.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } return []byte(jwt.SecretAccessKey), nil }) if e != nil { return false } return token.Valid }
func AuthenticateToken(c *Context, fn HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { token, err := jwt.ParseFromRequest(r, func(parsedToken *jwt.Token) (interface{}, error) { if _, ok := parsedToken.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unrecognized signing method: %v", parsedToken.Header["alg"]) } else { return settings.GetPublicKey(), nil } }) if err == jwt.ErrNoTokenInRequest { fn(c, w, r) return } else if err != nil { http.Error(w, err.Error(), http.StatusUnauthorized) return } if !token.Valid { http.Error(w, "Invalid JWT", http.StatusUnauthorized) return } var ok bool c.UserID, ok = token.Claims["sub"].(string) if !ok { log.Fatal("The underlying type of sub is not string") } isStored, err := c.TokenStore.IsTokenStored(c.UserID) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } if isStored { http.Error(w, "Token is no longer valid", http.StatusUnauthorized) return } _, ok = token.Claims["exp"].(float64) if !ok { log.Fatal("The underlying type of exp is not float64") } fn(c, w, r) } }
// Auth middleware returns handler that serves if the request comes in with valid JSON Web Token //It will collect the authkey from the request and add that with GIN Context keys for future request func Auth(secret string) gin.HandlerFunc { return func(ctx *gin.Context) { ctx.Keys = make(map[string]interface{}) ctx.Keys["authKey"] = authKey _, err := jwt.ParseFromRequest(ctx.Request, func(token *jwt.Token) (interface{}, error) { key := ([]byte(secret)) return key, nil }) if err != nil { log.Println("Error: ", err) ctx.AbortWithError(401, err) } } }
func JWTAuth(secret string) gin.HandlerFunc { return func(c *gin.Context) { token, err := jwt_lib.ParseFromRequest(c.Request, func(token *jwt_lib.Token) (interface{}, error) { b := ([]byte(secret)) return b, nil }) if err != nil { c.AbortWithError(401, err) return } c.Set("userId", token.Claims["ID"]) } }
/** TODO: - Check user is login - If not return not login error - If logined set "user" in context **/ func (a *authMiddleware) RequireLogin() gin.HandlerFunc { return func(c *gin.Context) { user, err := jwt_lib.ParseFromRequest(c.Request, func(token *jwt_lib.Token) (interface{}, error) { b := ([]byte(config.GetSecret())) return b, nil }) if err != nil { c.Error(apiErrors.ThrowError(apiErrors.UserNotLogined)) return } c.Set("user", user) } }
func GetTokenFromRequest(r *http.Request, signkey []byte) (token *jwt.Token, err error) { if token, err = jwt.ParseFromRequest(r, func(t *jwt.Token) (interface{}, error) { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Invalid signature method: %s!", t.Method) } return signkey, nil }); err != nil { return } err = validateToken(token) return }
// Middleware checks an HTTP request to see if it // contains a vlaid JSON web token func Middleware(a *app.App, w http.ResponseWriter, r *http.Request) error { token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return publicKey, nil }) if err != nil { // @TODO: Handle unauthorized properly w.WriteHeader(http.StatusUnauthorized) log.Println("Unauthorized, figure out how to handle this.") return err } else if token.Valid { return nil } else { log.Fatal("You shouldn't have got here...") } return nil }
func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) { authBackend := InitJWTAuthenticationBackend() token, err := jwt.ParseFromRequest( req, func(token *jwt.Token) (interface{}, error) { return authBackend.PublicKey, nil }) if err == nil && token.Valid && !authBackend.IsInBlacklist(req.Header.Get("Authorization")) { next(rw, req) } else { rw.WriteHeader(http.StatusUnauthorized) } }
// RequireTokenAuthentication ... func RequireTokenAuthentication(rw http.ResponseWriter, req *http.Request, next http.HandlerFunc) { authBackend := InitJWTAuthenticationBackend() token, err := jwt.ParseFromRequest(req, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"]) } else { return authBackend.PublicKey, nil } }) fmt.Println(err) if err == nil && token.Valid && !authBackend.IsInBlacklist(req.Header.Get("Authorization")) { next(rw, req) } else { rw.WriteHeader(http.StatusUnauthorized) } }
func jwtHandler(w http.ResponseWriter, r *http.Request) { token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { return publicKey, nil }) fmt.Println(err) fmt.Println(token) if err != nil { http.Error(w, "Bad request", 500) } if token.Valid { fmt.Fprintf(w, "Yo man! ") } else { fmt.Fprintf(w, "Bad ! ") } }
// only accessible with a valid token func authHandler(w http.ResponseWriter, r *http.Request) { // validate the token token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (interface{}, error) { // since we only use one private key to sign the tokens, // we also only use its public counter part to verify return verifyKey, nil }) if err != nil { switch err.(type) { case *jwt.ValidationError: // something was wrong during the validation vErr := err.(*jwt.ValidationError) switch vErr.Errors { case jwt.ValidationErrorExpired: w.WriteHeader(http.StatusUnauthorized) fmt.Fprintln(w, "Token Expired, get a new one.") return default: w.WriteHeader(http.StatusInternalServerError) fmt.Fprintln(w, "Error while Parsing Token!") log.Printf("ValidationError error: %+v\n", vErr.Errors) return } default: // something else went wrong w.WriteHeader(http.StatusInternalServerError) fmt.Fprintln(w, "Error while Parsing Token!") log.Printf("Token parse error: %v\n", err) return } } if token.Valid { response := Response{"Authorized to the system"} jsonResponse(response, w) } else { response := Response{"Invalid token"} jsonResponse(response, w) } }
func authRequest(w http.ResponseWriter, r *http.Request) { token, err := jwt.ParseFromRequest(r, func(token *jwt.Token) (face interface{}, err error) { fmt.Println(face) return face, nil // return publicKey, nil }) if err != nil { fmt.Println(err) } fmt.Println(token) // if token.Valid { // //YAY! // fmt.Println("token Valid") // } else { // //Someone is being funny // fmt.Println("totken Unautherized") // } }
func Logout(req *http.Request) error { authBackend, err := auth.InitJwtAuthBackend() if err != nil { return err } token, err := jwt.ParseFromRequest( req, func(token *jwt.Token) (interface{}, error) { return authBackend.PublicKey, nil }, ) if err != nil { return err } tokenString := req.Header.Get("Authorization") return authBackend.TerminateToken(tokenString, token) }